Solved: Re: How to get event counts for multiple fields gr...

splunker1981 · ‎06-24-2016

Hello all,

New to Splunk and been trying to figure out this for a while now. Not making much progress, so thought I'd ask the experts. I would like to count events for two fields grouped by another field.

Right now, if I run the following command, I get the results I'm looking for, but the way they are being displayed is not exactly how I would like it.

searchHere | stats count as total by cust_action, account | stats values(cust_action) AS action, values(total) by account

This provides me something like shown below:

 account      action           total
 userA      submitted       4
              resubmitted     1
 userB      submitted       1
              resubmitted      0
 userC      submitted       1
              resubmitted     3
              cancelled     1

What I would like to do is have the column name in the results be the value from cust_action field and put the count below each one by per account

account     submitted     resubmitted     cancelled
userA      4             1               0

userB      1             0               0

userC      1             3               1

Thanks for the help in advanced.

somesoni2 · ‎06-24-2016

This should do it

searchHere | chart count as total over account by cust_action

View solution in original post

woodcock · ‎06-24-2016

Like this:

searchHere | chart  count BY account cust_action

somesoni2 · ‎06-24-2016

This should do it

searchHere | chart count as total over account by cust_action

How to get event counts for multiple fields grouped by another field?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!